Building Secure Web Servers on AWS

When talking AWS, you will often hear buzzwords like, “highly-available, highly secure, fault tolerant architecture.” Buzz words are in reality important concepts, but most people understand what they actually mean.

As an aspiring Cloud Engineer and beginner AWS user, I’ve found that it’s important to know how to secure your AWS archtecture. How do you do that though? We will deal with the basic building block of AWS archtecture; namely EC2 instances.

You can launch an EC2 instance from the AWS console with the default settings, and then relatively easily log into the instance via SSH or RDP. It can be done literally in a couple of minutes.

But how can we secure our EC2, where we can say, “we have a secure EC2 running in AWS?”

Answer: By placing the EC2 instance in a private subnet. Private subnets are the answer to securing your compute architecture. When you place an EC2 into a private subnet, you are preventing anybody on the internet from accessing your instance. This is because, private subnets do NOT have any Internet Gateway attached to them. In other words, the route table of the private subnet doesn’t have a route to the internet, provided by an IGW (Internet Gateway). This is the sole factor that distinguishes the default and public subnets with private subnets. Because most of AWS newbies aren’t familiar with VPC’s, they (knowingly, or not) are launching resources in a default VPC and subnets, which are public by default. And again, what distinguishes public from private subnets is the route table either HAS or DOESN”T have an IGW (Internet Gateway) attached. Check out the screenshot.

The 0.0.0.0/0 is simply the official route to the internet. And the private subnet will not have this route, thereby preventing any way to access resources in the associated subnet.

And there you have it. Simply launch an EC2 instance in a subnet that has a route table without an Internet Gateway, and you have yourself a Secure EC2 instance.

But the question arises. How do you access this secure, private EC2 instance if you want to use it? And then the other burning question: How can this secure EC2 instance access the internet if it needs to do security updates? Another very important question. Answers to these 2 pressing questions in the next couple of blog posts.